Articles about bug bounty

SecurEnvoy SecurMail, you say? Only after this patch is applied, though

Recently resolved vulnerabilities in SecurEnvoy's encrypted email transfer SecurMail created a way for encrypted emails in users' inboxes to be read, overwritten and deleted by others. The flaws – uncovered by Austrian security firm SEC Consult during a crash test – included cross-site scripting, cross-site request forgery, …
John Leyden, 13 Mar 2018

Hehe, still writing code for a living? It's 2018. You could be earning x3 as a bug bounty hunter

Ethical hacking to find security flaws appears to pay better, albeit less regularly, than general software engineering. And while payment remains one of the top rationales for breaking code, hackers have begun citing more civic-minded reasons for their activities. A survey of 1,700 bug bounty hunters from more than 195 …
Thomas Claburn, 17 Jan 2018

Bug-finders' scheme: Tick-tock, this tech's tested by flaws.. but who the heck do you tell?

Security researcher E. Foudil is pushing a scheme to make it easier for bug finders to notify companies about problems with their technology. The idea revolves around “security.txt” - a simple text file, much like robots.txt, that contains information on whom to contact or where to look for security related information about a …
John Leyden, 3 Jan 2018

Florida Man… pockets Uber cash to keep quiet about data breach

A 20-year-old Florida man who lives with his mom was the "security researcher" that Uber paid off last year not to reveal a massive hack of its systems. In a typically Uber take on network security, the ride-hailing app company paid the man $100,000 in October last year to destroy data he downloaded on 57 million users, …

DJI bug bounty NDA is 'not signable', say irate infosec researchers

Chinese drone maker DJI faces questions from infosec researchers about its bug bounty programme. Sources have told The Register that a non-disclosure agreement (NDA) they were invited to sign would result in the company "owning their actions". DJI's scheme to pay those that highlight security weaknesses, announced months ago …
Gareth Corfield, 16 Nov 2017
Boba Fett

Hack apps, attack code drawbacks for cash stacks, Google yaks

Google is offering cash to those who can find, exploit and report bugs in its Android apps, or similarly hack other programs in its Play Store. The goal is to get a large number of people and developers working together on improving security in the Android world. The advertising giant is very familiar with bug bounties, and …
Iain Thomson, 20 Oct 2017

Make America late again: US 'lags' China in IT security bug reporting

The US is starting to fall well behind China in terms of the speed at which organizations are alerted to reported security vulnerabilities, according to a study out this week by threat intel biz Recorded Future. The US government's National Vulnerability Database (NVD) lags China’s National Vulnerability Database (CNNVD) in …
John Leyden, 20 Oct 2017
Photo by UzFoto / Shutterstock

Samsung mobile launches bug bounty program

Samsung's mobile limb has become the latest major vendor to launch a bug bounty program, and within its tight rules, it offers a tasty maximum prize of US$200,000. The bounty is for newer devices only – 38 mobile devices launched since 2016, including Galaxies S, Note, A, J, and Tab, and the top-of-the-line the S8, S8+, and …

Look, we know you're all hacking DJI drones. How 'bout a bug bounty?

Bending to public pressure as more and more drone hackers break into their kit, Chinese firm DJI has now announced a bug bounty program. "Security researchers, academic scholars and independent experts often provide a valuable service by analysing the code in DJI's apps and other software products and bringing concerns to …
Gareth Corfield, 29 Aug 2017
Money explosion photo via Shutterstock

Schoolboy bags $10,000 reward from Google with easy HTTP Host bypass

A teenager in Uruguay has scored big after finding and reporting a bug in Google's App Engine to view confidential internal Google documents. While bored in July, high schooler Ezequiel Pereira, who has all the makings of a competent security researcher, used Burp to manipulate the Host header in web connections to Google's …
Iain Thomson, 10 Aug 2017

Microsoft adds all of Windows – including Server – to extended bug bounty program

Microsoft has extended its bug bounty program for Windows Insider to include the whole of the OS, extended its operation indefinitely and added Windows Server Insider to the eligibility list. Redmond’s previously offered bounties for specific Windows features only. Now you can score sweet Seattle-sourced dollars for finding a …
Simon Sharwood, 27 Jul 2017

Security bug bounty programs are a nice little earner for hackers

Some security-conscious organizations award hackers up to $900,000 a year, according to what's touted as the biggest bug bounty industry report to date. The study – commissioned by HackerOne, a bug bounty and vulnerability disclosure platform provider – examined 800 hacker-powered programs and 50,000 resolved security …
John Leyden, 29 Jun 2017

HackerOne says 'no' to FlexiSpy stalkerware bug bounty program

Bug bounty organizer HackerOne has told stalkerware developer FlexiSpy that it won't take its business because of the ethics – or lack thereof – that the software maker exhibits. FlexiSpy has been around for years and is a surveillance application sold to paranoid spouses and those parents and employers who want to know more …
Iain Thomson, 5 May 2017

Intel touts bug bounties to hardware hackers

Intel has launched its first bug bounty program, offering rewards of up to $30,000. The chip maker has partnered with specialist bug bounty outfit HackerOne to create a scheme that aims to encourage hackers to hunt for flaws in Intel's hardware, firmware and software. Intel will pay up to $30,000 for critical hardware …
John Leyden, 16 Mar 2017
Hipster with laptop photo via Shutterstock

Slack quick to whack account hijack crack

Slack quickly squashed a potential account hijack bug hours after it was reported. Frans Rosén, a security researcher at Detectify, discovered a vulnerability in Slack that created a means for a malicious website to steal a user's Slack token, potentially seizing control of their account in the process. Slack fixed the bug in …
John Leyden, 3 Mar 2017

'I found a bug that let anyone read anyone's Yahoo! Mail and all I got was this $10k check'

A security researcher says he bagged $10k after discovering and reporting a serious flaw in Yahoo! Mail that could have been exploited by crooks to read victims' messages. Jouko Pynnönen says he reported the vulnerability in Yahoo! Mail via bug-bounty organizers HackerOne. "The impact of the bug is similar to the one I …
John Leyden, 9 Dec 2016
Gloved hand holds dismantled bug/listening /audio device. Photo by Shutterstock

Hack the Army: US military begs white hats to sweep it for bugs

Security experts reckon the US government’s newly unveiled "Hack the Army" bug bounty programme may usher in greater co-operation across the whole arena of security research. The US Army will offer cash rewards to hackers who find vulnerabilities in selected, public-facing Army websites under the scheme, which builds on the US …
John Leyden, 22 Nov 2016
Android patch

Qualcomm now offering US$15k for security bugs

Qualcomm's been bitten by the bounty bug, signing on with HackerOne to offer up to US$15,000 for vulnerabilities in modems and processors. The bounty covers Snapdragon 400, 615, 801, 805 808, 810, 820 and 821 processors, and its X5, X7, X12 and X16 LTE modems. A vulnerability in any one of these would reach a long way into …

Create a news alert about bug bounty, or find more stories about bug bounty.

Biting the hand that feeds IT © 1998–2018